Jump to content

Multiple infection, super virus?


Neil101

Recommended Posts

Hey all, firstly a big thanks to anyone that bothers to read through this because it might be a bit long...

Anyways... Around a month ago my computer started playing up, it randomly started reseting itself and loading up with the message "Windows has recovered from a serious error" and every time i clicked a link on google it would take me to some total random website... Then around 2 months of that it got worse, my computer started slowing right down to the point where it was almost unuseable and when i turned it on one morning my background had been changed to something like... "YOUR SYSTEM IS INFECTED DOWNLOAD THE APPROPRIATE REMOVAL TOOLS AT THIS WEBSITE *Link here*" this ran some random virus scanner that i hadn't downloaded so i canceled it and deleted it from my p.c...

I then downloaded MalwareBytes anti malware, AVG, Spybot Search and Destroy, CCleaner and HiJackThis... I run each one twice a day, excpet HJT...

Each time i scan it finds different viruses, and it varies from about 5-30 on each scan that it finds...

It mainly finds this program... "C:\WINDOWS\system32\drivers/str.sys" and says its a RootKit.Agent, it then says it will be deleted on the next boot up, but it finds it on every single scan, i've tried running AVG in safe mode as malware doesn't seem to work in safemode

I have manually found the file but i can't delete it as it says its in use

i just ran 2 mbam scans, this is the log for the second one, can't seem to find the first...

Malwarebytes' Anti-Malware 1.39

Database version: 2532

Windows 5.1.2600 Service Pack 2

16/09/2009 05:00:20

mbam-log-2009-09-16 (05-00-13)new1

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 144701

Time elapsed: 17 minute(s), 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 5

Registry Values Infected: 1

Registry Data Items Infected: 3

Folders Infected: 1

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AlerterALG (Trojan.Downloader) -> No action taken.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> No action taken.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> No action taken.

Folders Infected:

C:\WINDOWS\system32\lowsec (Stolen.data) -> No action taken.

Files Infected:

c:\windows\system32\lowsec\local.ds (Stolen.data) -> No action taken.

c:\windows\system32\lowsec\user.ds (Stolen.data) -> No action taken.

C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> No action taken.

C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> No action taken.

it didn't let me get rid of about 6 and it found 17 that time, the time before it found 21

I've been messing around with hiJackThis and ending proccess that sound suspecious, but i really don't know what i'm doing...

Also this morning when i tried to load up AVG and scan with it it said there was no active components so i'll download that again tonight

I've been messing aroudn with my computer now trying o find a solution for almost 8 hours so i'm kinda tired of it and just wanna get it fixxed, i can't re-install windows either as i don't have the windows key i don't think

Here is the HiJackThis log i just did.. If it helps..

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Boot mode: Normal

Running processes:

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O17 - HKLM\System\CS1\Services\Tcpip\..\{0BD31D43-0319-4211-A22C-8AF2230A5835}: NameServer = 217.171.132.1 217.171.135.1

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--

End of file - 3270 bytes

Well i think i've said everything, a real big thanks to anyone who attempts to help and thansk to anyone who read it all :)

Hope to hear from you soon :D

Link to post
Share on other sites

Hi and Welcome to the Malwarebytes' forum.

Please download ATF Cleaner by Atribune

  • Close Internet Explorer and any other open browsers
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click
  • Click the Empty Selected button.
  • No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Reboot

Next, download this Antirootkit Program to a folder that you create such as C:\ARK.

Disable the active protection component of your antivirus by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

  • Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  • When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  • After the automatic "quick" scan is finished (a few seconds), click the Rootkit/Malware tab,and then select the Scan button.
  • Leave your system completely idle while this longer scan is in progress.
  • When the scan is done, save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Exit the Program
  • Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.
  • Re-enable your antivirus and any antimalware programs you disabled before running the scan

Note: If you have trouble completing a full Rootkit/Malware scan with the ARK program then just copy/paste the "Quick scan" results into your reply. Often that alone provides enough information.

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to a name of your choice such as fixit.exe

Notes:

  • It is very important that save the newly renamed EXE file to your desktop.
  • You must rename Combofixe.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
  • For Firefox
    • Open Firefox and click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • When downloading, choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console if you have not done that already:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Also, disable your firewall!

You can enable the Window firewall in the interim, until the scan is complete.

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

  • Close any open browsers.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Double click on the renamed combofix.exe & follow the prompts.

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

---

Your version of MBAM is very outdated. The current version is 1.41. You should uninstall the version you now have and then install the new version and run a scan as follows:

Please download Malwarebytes' Anti-Malware (MBAM) to your desktop from:

BestTechie.net

http://www.besttechie.net/tools/mbam-setup.exe

or

MajorGeeks.com:

http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

Double-click mbam-setup.exe and follow the prompts to install the program. At the end of the install, place a checkmark next to the following two options:

  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware

  • Click Finish.
  • MBAM will automatically update, if the above options are checked.
  • Once the program launches, select Perform complete scan, then click Scan.
  • When the scan is complete, click OK -> Show Results to view the scan results.
  • Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine.
  • When the scan is done, a log will open in Notepad with the scan results. Please post the results in your next reply.

NOTE: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please post ARK.txt, C:\Combofix.txt, and the MBAM v. 1.41 log

If you need an antivirus, I prefer that you download, install and run this highly rated antivirus called Antivir by Avira:

http://www.free-av.com/en/trialpay_downloa..._antivirus.html

Update it,and then run a complete system scan. Post the scan report afterward.

Link to post
Share on other sites

Thankyou :) i updated Malwarebytes as i was doing the topic, this is the log after i updated it...

Malwarebytes' Anti-Malware 1.41

Database version: 2807

Windows 5.1.2600 Service Pack 2

16/09/2009 05:19:13

mbam-log-2009-09-16 (05-19-04).txt

Scan type: Quick Scan

Objects scanned: 92295

Time elapsed: 2 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 13

Registry Values Infected: 1

Registry Data Items Infected: 3

Folders Infected: 2

Files Infected: 11

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

\\?\globalroot\systemroot\system32\vsfoceoepavihh.dll (Rootkit.TDSS) -> No action taken.

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{50a99122-4c8c-4317-811e-54b5dad44b52} (Password.Stealer) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rgadta (Trojan.Goldun) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\rgadta (Trojan.Goldun) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rgadta (Trojan.Goldun) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hwdatacard (Trojan.Goldun) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\hwdatacard (Trojan.Goldun) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hwdatacard (Trojan.Goldun) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npf (Trojan.Goldun) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\npf (Trojan.Goldun) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\npf (Trojan.Goldun) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npf (Trojan.Goldun) -> No action taken.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Minimal\rgadta.sys (Trojan.Goldun) -> No action taken.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Network\rgadta.sys (Trojan.Goldun) -> No action taken.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> No action taken.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> No action taken.

Folders Infected:

C:\Documents and Settings\All Users\Application Data\19662034 (Rogue.Multiple) -> No action taken.

C:\WINDOWS\system32\lowsec (Stolen.data) -> No action taken.

Files Infected:

\\?\globalroot\systemroot\system32\vsfoceoepavihh.dll (Rootkit.TDSS) -> No action taken.

C:\WINDOWS\system32\rgadta.sys (Trojan.Goldun) -> No action taken.

C:\WINDOWS\system32\drivers\ewusbmdm.sys (Trojan.Goldun) -> No action taken.

C:\WINDOWS\system32\drivers\npf.sys (Trojan.Goldun) -> No action taken.

C:\Documents and Settings\All Users\Application Data\19662034\19662034 (Rogue.Multiple) -> No action taken.

C:\Documents and Settings\All Users\Application Data\19662034\pc19662034ins (Rogue.Multiple) -> No action taken.

C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> No action taken.

C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> No action taken.

C:\WINDOWS\system32\lpocg.dll (Password.Stealer) -> No action taken.

C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> No action taken.

C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> No action taken.

I will follow the rest of your instrucions now :D

Link to post
Share on other sites

Right... Done everything now i believe, and sorry i didn't reply earlier.. Didn't refresh the page while i was downloading the stuff...

It says no action taken i think because i get an error saying they can't be deleted at this moment in time and that they will be deleted on start up, but there always still there...

I just did everything you told me to...

I will attach the logs as there quite big... When i ran ComboFix AVG was "Active" i disabled it, i exited it from the taskbar thingy and i disabled the shield, but ComboFix said it was still active, i tried to un-install AVG but keep getting an error, but it seemed to of worked like the guide said it would... The other thing.. GMER was it? That scan took like 45 minutes or something and ComboFix was reallyfast ;D

Just doing a Full Scan of MalwareBytes now and then i'll upload all 3 logs...

But just one thing i noticed... "2009-09-03 11:58 . 2009-09-03 11:58 75008 ----a-w- c:\windows\system32\drivers\oferxgwddtdsb.sys" in the ComboFix log, i noticed this the other day in task manager, it was open about 10-13 times and was using all my CPU which was making my computer go insanely slow, and it also loaded on start up, so it took me a good 10-15 mins to actually log in, will this of been deleted? As i think it could be some kind of virus/malware

Done, sorry i fell asleep this morning at 8am and only just woke up hehe

ComboFix.txt

ARK.txt.txt

mbam_log_2009_09_16__15_59_35_.txt

Link to post
Share on other sites

Okay, 1 second :P

Malwarebytes' Anti-Malware 1.41

Database version: 2807

Windows 5.1.2600 Service Pack 2

16/09/2009 15:59:40

mbam-log-2009-09-16 (15-59-35).txt

Scan type: Full Scan (C:\|)

Objects scanned: 139444

Time elapsed: 39 minute(s), 35 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 6

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

C:\WINDOWS\Fonts\unwise_.exe (Worm.Archive) -> No action taken.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Windows Hosts Controller (Trojan.Agent) -> No action taken.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\intime (Malware.Trace) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\reup (Malware.Trace) -> No action taken.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WaitToKillServiceT (Malware.Trace) -> No action taken.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\unwise_.exe (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\unwise_.exe (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\windows\fonts\unwise_.exe (Trojan.Agent) -> No action taken.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\Fonts\unwise_.exe (Worm.Archive) -> No action taken.

GMER 1.0.15.15087 - http://www.gmer.net

Rootkit scan 2009-09-16 06:53:58

Windows 5.1.2600 Service Pack 2

Running: this6dwe.exe; Driver: C:\DOCUME~1\PCIEXP~1\LOCALS~1\Temp\pxtdapow.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{185B646B-4E14-BAF9-42A0-9A5412013BB8}

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{185B646B-4E14-BAF9-42A0-9A5412013BB8}@abfjeeccamnffjknhjkfgejjdjklpebjac 0x61 0x61 0x00 0x00

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{185B646B-4E14-BAF9-42A0-9A5412013BB8}@bbfjeeccamnffjknhjdfdkinajggimpokoai 0x61 0x61 0x00 0x00

---- EOF - GMER 1.0.15 ----

ComboFix 09-09-14.02 - Pci Express 16/09/2009 7:01.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1919.1436 [GMT 1:00]

Running from: c:\documents and settings\Pci Express\Desktop\fixit.exe

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: ActiveArmor Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Pci Express\Application Data\Microsoft\Installer\{048298C9-A4D3-490B-9FF9-AB023A9238F3}\Icon048298C9.exe

c:\documents and settings\Pci Express\Application Data\Microsoft\Installer\{9580813D-94B1-4C28-9426-A441E2BB29A5}\Icon9580813D.ico

c:\documents and settings\Pci Express\Application Data\Microsoft\Installer\{9580813D-94B1-4C28-9426-A441E2BB29A5}\Icon9580813D1.ico

c:\windows\system32\3117028273.dat

c:\windows\system32\config\systemprofile\Start Menu\Programs\Total Security

c:\windows\system32\config\systemprofile\Start Menu\Programs\Total Security\Total Security 2009.lnk

c:\windows\system32\i

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NPF

-------\Legacy_ONESTEP_SERVICE

-------\Legacy_TLNTSVRWSCSVC

-------\Service_OneStep Service

-------\Service_TlntSvrwscsvc

-------\Legacy_Irmon

-------\Service_Irmon

((((((((((((((((((((((((( Files Created from 2009-08-16 to 2009-09-16 )))))))))))))))))))))))))))))))

.

2009-09-16 04:55 . 2009-09-16 04:57 -------- d-----w- C:\ARK

2009-09-16 04:32 . 2009-09-16 04:32 54016 ----a-w- c:\windows\system32\drivers\gecdtgiu.sys

2009-09-16 04:24 . 2009-09-16 04:24 54016 ----a-w- c:\windows\system32\drivers\evum.sys

2009-09-15 23:54 . 2009-09-15 23:54 51408 ----a-w- c:\documents and settings\Pci Express\Local Settings\Application Data\prvlcl.dat

2009-09-03 11:58 . 2009-09-03 11:58 75008 ----a-w- c:\windows\system32\drivers\oferxgwddtdsb.sys

2009-09-02 02:29 . 2009-09-02 02:29 18480 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-02 02:06 . 2009-09-02 02:11 -------- d-----w- c:\windows\system32\CatRoot_bak

2009-09-02 00:03 . 2009-09-02 00:06 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-08-31 08:28 . 2008-01-17 15:50 100864 ----a-w- c:\windows\system32\drivers\ZTEusbser6k.sys

2009-08-31 08:28 . 2008-01-17 15:50 100864 ----a-w- c:\windows\system32\drivers\ZTEusbnmea.sys

2009-08-31 08:28 . 2008-01-17 15:50 100864 ----a-w- c:\windows\system32\drivers\ZTEusbmdm6k.sys

2009-08-31 08:28 . 2009-08-31 08:28 -------- d-----w- c:\windows\system32\SupportApp

2009-08-30 22:04 . 2009-08-30 22:04 -------- d-----w- c:\program files\Common Files\xing shared

2009-08-30 22:03 . 2009-08-30 22:03 499712 ----a-w- c:\windows\system32\msvcp71.dll

2009-08-30 22:03 . 2009-08-30 22:03 348160 ----a-w- c:\windows\system32\msvcr71.dll

2009-08-30 22:03 . 2009-08-30 22:03 -------- d-----w- c:\program files\Real

2009-08-30 15:18 . 2009-08-30 15:18 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation

2009-08-30 15:17 . 2009-08-30 15:17 -------- d-----w- C:\NVIDIA

2009-08-30 14:11 . 2009-09-03 22:01 -------- d-----w- c:\program files\Steam

2009-08-27 20:45 . 2009-08-27 20:45 -------- d-----w- c:\documents and settings\Pci Express\Application Data\Xilisoft Corporation

2009-08-27 20:44 . 2009-08-27 20:44 -------- d-----w- c:\program files\Xilisoft

2009-08-24 14:02 . 2009-08-24 15:12 16 ----a-w- c:\windows\pxydb.dat

2009-08-20 11:53 . 2009-08-20 11:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment

2009-08-20 06:03 . 2009-08-20 06:03 1060864 ----a-w- c:\windows\system32\MFC71.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-16 06:00 . 2009-06-22 15:47 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-09-16 04:14 . 2009-07-30 21:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-16 04:11 . 2009-05-05 16:21 -------- d-----w- c:\program files\ZTE Mobile Connection

2009-09-15 14:17 . 2008-07-06 13:51 -------- d-----w- c:\program files\World of Warcraft

2009-09-15 13:03 . 2008-11-19 13:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-10 13:54 . 2009-07-30 21:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 13:53 . 2009-07-30 21:30 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-30 22:04 . 2008-10-26 00:03 -------- d-----w- c:\program files\Common Files\Real

2009-08-21 11:12 . 2009-06-22 15:47 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-08-21 11:12 . 2009-06-22 15:47 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-08-21 11:12 . 2009-06-22 15:47 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-08-17 02:04 . 2009-08-17 02:04 2173472 ----a-w- c:\windows\system32\nvcplui.exe

2009-08-17 02:04 . 2009-08-17 02:04 81920 ----a-w- c:\windows\system32\nvwddi.dll

2009-08-17 02:03 . 2009-08-17 02:03 3170304 ----a-w- c:\windows\system32\nvwss.dll

2009-08-17 02:03 . 2009-08-17 02:03 4026368 ----a-w- c:\windows\system32\nvvitvs.dll

2009-08-17 02:03 . 2009-08-17 02:03 188416 ----a-w- c:\windows\system32\nvmccss.dll

2009-08-17 02:03 . 2009-08-17 02:03 1286144 ----a-w- c:\windows\system32\nvmobls.dll

2009-08-17 02:03 . 2009-08-17 02:03 3547136 ----a-w- c:\windows\system32\nvgames.dll

2009-08-17 02:03 . 2009-08-17 02:03 4923392 ----a-w- c:\windows\system32\nvdisps.dll

2009-08-17 02:03 . 2009-08-17 02:03 86016 ----a-w- c:\windows\system32\nvmctray.dll

2009-08-17 02:03 . 2009-08-17 02:03 168004 ----a-w- c:\windows\system32\nvsvc32.exe

2009-08-17 02:03 . 2009-08-17 02:03 143360 ----a-w- c:\windows\system32\nvcolor.exe

2009-08-17 02:03 . 2009-08-17 02:03 13877248 ----a-w- c:\windows\system32\nvcpl.dll

2009-08-17 02:02 . 2009-08-17 02:02 229376 ----a-w- c:\windows\system32\nvmccs.dll

2009-08-16 23:57 . 2009-08-16 23:57 2189856 ----a-w- c:\windows\system32\nvcuvid.dll

2009-08-16 23:57 . 2009-08-16 23:57 2002944 ----a-w- c:\windows\system32\nvcuda.dll

2009-08-16 23:57 . 2009-08-16 23:57 1706528 ----a-w- c:\windows\system32\nvcuvenc.dll

2009-08-16 23:57 . 2009-08-16 23:57 1597690 ----a-w- c:\windows\system32\nvdata.bin

2009-08-16 23:57 . 2006-11-11 14:05 485920 -c--a-w- c:\windows\system32\nvudisp.exe

2009-08-16 23:57 . 2006-08-16 07:35 868352 ----a-w- c:\windows\system32\nvapi.dll

2009-08-16 23:57 . 2006-08-16 07:35 155648 ----a-w- c:\windows\system32\nvcodins.dll

2009-08-16 23:57 . 2006-08-16 07:35 155648 ----a-w- c:\windows\system32\nvcod.dll

2009-08-16 23:57 . 2006-08-16 07:35 10457088 ----a-w- c:\windows\system32\nvoglnt.dll

2009-08-16 23:57 . 2005-10-10 13:49 7729568 ----a-w- c:\windows\system32\drivers\nv4_mini.sys

2009-08-16 23:57 . 2005-10-10 13:49 5845760 ----a-w- c:\windows\system32\nv4_disp.dll

2009-08-11 11:35 . 2007-10-14 11:28 485920 -c--a-w- c:\windows\system32\NVUNINST.EXE

2009-08-02 11:21 . 2009-08-02 11:21 -------- d-----w- c:\documents and settings\Pci Express\Application Data\HCM Updater

2009-07-30 19:46 . 2009-07-03 09:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

2009-07-20 13:08 . 2008-11-30 21:32 -------- d-----w- c:\documents and settings\Pci Express\Application Data\LimeWire

2009-06-22 15:47 . 2009-06-22 15:47 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-21 2007832]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-08-30 198160]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"sdCoreService"=3 (0x3)

"sdAuxService"=3 (0x3)

"Bonjour Service"=2 (0x2)

"AVGEMS"=2 (0x2)

"Avg7UpdSvc"=2 (0x2)

"Avg7Alrt"=2 (0x2)

"WMPNetworkSvc"=2 (0x2)

"usnjsvc"=3 (0x3)

"OneStep Service"=2 (0x2)

"NVSvc"=2 (0x2)

"nSvcLog"=2 (0x2)

"nSvcIp"=2 (0x2)

"MSSQLServerADHelper"=3 (0x3)

"MSCamSvc"=2 (0x2)

"JavaQuickStarterService"=2 (0x2)

"iPod Service"=3 (0x3)

"ForcewareWebInterface"=2 (0x2)

"Apple Mobile Device"=2 (0x2)

"TlntSvrwscsvc"=2 (0x2)

"avg8wd"=2 (0x2)

"avg8emc"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"Antispyware"=c:\program files\Antispyware\Antispyware.exe -boot

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Documents and Settings\\Pci Express\\Local Settings\\Application Data\\Dyyno Receiver\\DPPM.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

"c:\\Program Files\\Steam\\SteamApps\\neilthenum7\\counter-strike source\\hl2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

"AllowInboundTimestampRequest"= 1 (0x1)

"AllowInboundMaskRequest"= 1 (0x1)

"AllowInboundRouterRequest"= 1 (0x1)

"AllowOutboundDestinationUnreachable"= 1 (0x1)

"AllowOutboundSourceQuench"= 1 (0x1)

"AllowOutboundParameterProblem"= 1 (0x1)

"AllowOutboundTimeExceeded"= 1 (0x1)

"AllowRedirect"= 1 (0x1)

"AllowOutboundPacketTooBig"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [22/06/2009 16:47 335240]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [22/06/2009 16:47 108552]

S1 hitmanpro2;Hitman Pro 2 Driver;\??\c:\program files\Hitman Pro\hitmanpro2.sys --> c:\program files\Hitman Pro\hitmanpro2.sys [?]

S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [22/06/2009 16:47 908056]

S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [22/06/2009 16:47 297752]

S4 emsma;emsma;c:\windows\system32\drivers\evum.sys [16/09/2009 05:24 54016]

S4 mbcrc;mbcrc;c:\windows\system32\drivers\gecdtgiu.sys [16/09/2009 05:32 54016]

S4 weekynbn;weekynbn;c:\windows\system32\drivers\oferxgwddtdsb.sys [03/09/2009 12:58 75008]

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = iexplore

TCP: {0BD31D43-0319-4211-A22C-8AF2230A5835} = 217.171.132.1 217.171.135.1

FF - ProfilePath - c:\documents and settings\Pci Express\Application Data\Mozilla\Firefox\Profiles\jowh6dyt.default\

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-16 07:06

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1580)

c:\program files\iTunes\iTunesMiniPlayer.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\wscntfy.exe

c:\program files\AVG\AVG8\avgtray.exe

.

**************************************************************************

.

Completion time: 2009-09-16 7:10 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-16 06:10

Pre-Run: 222,765,056 bytes free

Post-Run: 93,818,880 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

214

Thats all 3

Link to post
Share on other sites

VERY IMPORTANT!! In MBAM you need you to check all threats found and then hit "Remove Selected".

Reboot if instructed to do so. All items in your logs are labelled "No action taken" which indicates the threats weren't removed.

We have some additional infected items to clean up that we will manually specify for deletion by using a Combofix script.

It is important that you follow the next set of instructions precisely.

Open Notepad

On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled).

Copy/paste the text in the code box below into Notepad.

http://www.malwarebytes.org/forums/index.php?showtopic=24835&pid=127929&st=0entry127929

KillAll::

Driver::
emsma
mbcrc
weekynbn
usnjsvc

Collect::[75]
c:\windows\system32\drivers\evum.sys
c:\windows\system32\drivers\gecdtgiu.sys
c:\windows\system32\drivers\oferxgwddtdsb.sys

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Antispyware"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Antispyware"=-
[-HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{185B646B-4E14-BAF9-42A0-9A5412013BB8} ]

Folder::
c:\program files\Antispyware

Save this to your desktop as CFScript.txt by selecting File -> Save as.

CFScriptB-4.gif

Very Important: Disable ALL security program active protection components at this time including any and all antispyware and antivirus monitor/guards you have running!!

Your previous Combofix run shows that AVG was enabled You MUST disable it!!

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

Also, disable any task(s) scheduled to run automatically upon reboot, such as chkdskor any scanners. If Windows is in the middle of updating and it needs to reboot to finish the updating process, allow it to complete that first - before attempting to run Combofix.

Referring to the picture above, drag CFScript.txt into your renamed ComboFix.exe (fixit.exe)

This will cause ComboFix to run again.

Please post back the log that is opens when it finishes.

Link to post
Share on other sites

Thankyou, i will do that once i get home i am at my girl friends currently and i couldn't go on this website from my home pc anymore, it has been blocked along with a few other security websites and the microsoft website so i can't update windows etc..

I will copy that and do it on my pc when i get home and reply back with the log, might be in a day or 2 though :P

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.